Endpoint

Sophos Endpoint Security and Control 10.3 Recommended release notes

October 2014

About these release notes

These are the release notes for Sophos Endpoint Security and Control 10.3 for Windows Recommended versions, managed by Sophos Enterprise Console or standalone.

Some of the features mentioned in these release notes are only available on managed computers or if you have the appropriate license.

Note: You may find that you cannot yet download and use the latest version on the list below. This is because Sophos releases the software over a number of days, but publishes the release notes on the first day.

Version 10.3.11, October 2014

Components

Sophos Anti-Virus (SAV) 10.3.11.2
Threat detection engine 3.53
Sophos Client Firewall (SCF) 3.0.3 (Windows 8)

2.9.4 (Windows 7 and earlier)

Sophos AutoUpdate (SAU) 3.1.4
Sophos Patch Agent 1.0.307.0

New features

Component Description
Sophos Anti-Virus The on-access file system filter driver for Windows 8, Windows 8.1, Windows 2012 and Windows 2012 R2 has been updated to improve system performance.
Sophos Anti-Virus The threat detection engine has been updated.
Sophos Device Control The following devices have been added to the list of secure removable storage devices:
  • CTWO SafeXs 3.0 secure USB flash drive
  • SafeToGo hardware-encrypted USB flash drive
  • Imation IronKey Basic D250 USB flash drive
  • Kingston's DataTraveler Vault Privacy 3.0 USB flash drive
  • DataLocker Sentry FIPS 140-2 Drive
Sophos Device Control Intel Centrino Wireless Bluetooth Adapter has been added to the list of bluetooth interfaces.
Competitor Removal Tool The following products have been added to the Sophos Competitor Removal Tool integrated with Sophos Endpoint Security and Control (iCRT):
  • Symantec Endpoint Protection v12.1.4013.4013
  • Norman Endpoint Protection 9

Resolved issues

Component Issue ID Description
Sophos Anti-Virus, Sophos AutoUpdate KB121385 Fixed an installation and upgrade issue that occurred on Windows Server 2003 following the release of Microsoft Security Update KB2918614.
Sophos Anti-Virus DEF97549 Unquoted paths in the Sophos Anti-Virus 10.3.7 installer cause the installation, upgrade or uninstallation of Sophos Anti-Virus to fail on 64-bit versions of Windows. This happens if a file with a file name beginning with "program" is present in the root of the system drive.
Sophos Anti-Virus DEF97183 Sophos Anti-Virus 10.3.7 does not install on a Server Core installation of Windows Server 2012.
Sophos Anti-Virus DEF88319 Email alerting settings for right-click scanning do not change when the global email alerting settings are changed.
Sophos AutoUpdate WKI97704 The updating status "Unknown" is displayed in the Up to date column in Sophos Enterprise Console after a major Sophos AutoUpdate upgrade on an endpoint and until the next endpoint update. This happens because not all of the old threat identity (IDE) files are being deleted on upgrade; they are then deleted during the next update.
Sophos AutoUpdate DEF97693 The Sophos Agent service (ManagementAgentNT.exe) crashes when the size of the Sophos AutoUpdate policy file is 0 bytes.
Sophos AutoUpdate WKI97618 In Endpoint Security and Control 10.3.7, Sophos AutoUpdate doesn't work if Citrix Single Sign-On Plug-in is installed on the same machine.
Sophos AutoUpdate WKI97582 In Endpoint Security and Control 10.3.7, Sophos AutoUpdate 3.1 doesn't work if a Hummingbird client is installed on the same machine.
Sophos AutoUpdate DEF97279 Basic authentication for proxies fails with Sophos Anti-Virus 10.3.7.
Sophos AutoUpdate DEF97247 Updating fails with manifest errors when a standalone Sophos Anti-Virus package is installed to a non-default location and then updated from a Central Installation Directory (CID).
Sophos AutoUpdate DEF95816 When Sophos AutoUpdate 2.x is upgraded to version 3.1 on an endpoint that updates from a CID, the following error message appears:

Sophos AutoUpdate - Error 25010. An error occurred while running the custom action 'UpdateProductInfo'. Reason: Unable to read ProductID.dat or Migration.dat. Contact your support personnel.

Data Control DEF92713 Data Control causes a Windows 8 tablet to start slowly.
Sophos Web Control DEF96534 Adding a period to the end of a URL blocked by domain name allows to access the URL.
Sophos Web Control DEF95866 A "this page has been blocked" pop-up message is displayed for an allowed page that has links to a website blocked by category (for example, Facebook, when blocked under the Personals and Dating category).
Sophos Web Control DEF95685 Endpoints do not automatically get a web control policy from a new Sophos Web Appliance (SWA) or UTM appliance after they have been managed by a different SWA or UTM appliance.
Sophos Web Control DEF95345 Add support for WebSockets in Sophos Web Intelligence (SWI) service.

Version 10.3.7, April 2014

Components

Sophos Anti-Virus (SAV) 10.3.7
Threat detection engine 3.51.1
Sophos Client Firewall (SCF) 3.0.3 (Windows 8)

2.9.4 (Windows 7 and earlier)

Sophos AutoUpdate (SAU) 3.1.1.18
Sophos Patch Agent 1.0.307.0

New features

Component Description
Sophos Anti-Virus The threat detection engine has been updated.
Sophos Anti-Virus The Sophos Anti-Virus drivers have been rebuilt with an updated compiler.
Sophos Device Control Sophos Device Control can now block access to smart phones or other devices that use the MTP/PTP protocols. This option can only be set centrally at the management console.
Sophos AutoUpdate The back-end updating system has been upgraded.
Sophos AutoUpdate The threat data is now distributed as a supplement, which is updated independently from Endpoint Security and Control and allows for more frequent updates.
Sophos Client Firewall A number of security enhancements have been implemented in Sophos Client Firewall.
Sophos Patch Windows 8 support.
Sophos Web Control Windows 8 support.

Resolved issues

Component Issue ID Description
Sophos Device Control DEF93728 Add IronKey Enterprise D250 4GB to the list of secure removable storage devices.
Sophos Device Control DEF93180 Add Kingston DataTraveler Locker+ G2 8GB to the list of secure removable storage devices.
Sophos Device Control DEF91534 If device control is enabled on a computer running VMware Tools and access to floppy disk drives is set to read-only, this message is repeatedly displayed on the desktop: "Access to device blocked by Sophos. Write access to controlled device type 'Floppy disk drives' blocked by the administrator". The message is also added to the log. This happens because the VMware Tools service attempts to access the floppy drive every few seconds (and will continue to do so even if the floppy drive is no longer connected).
Sophos Device Control DEF73772 Sophos Device Control displays the message "Device Control failed when checking volume access: device name=\device\volume, errorCode-0x8000ffff". This is because an error has occurred in the process that checks whether a device is read-only.
Sophos Device Control DEF87140 Realtek RTL8187B Wi-Fi chipset is not detected as a Wi-Fi device by Device Control.
Sophos Anti-Virus SUG94215 Policies lost on downgrade from version 10.3.3 (Preview) to version 10.3.1 (Recommended).
Sophos AutoUpdate DEF94488 The version of Sophos AutoUpdate is incorrectly reported in the Sophos Endpoint Security and Control user interface for non-administrator users.
Sophos AutoUpdate DEF94174 Enhance security permissions on the AutoUpdate program folder.
Sophos AutoUpdate DEF85587 Sophos AutoUpdate uninstallation or reinstallation fails if certain components are missing.
Sophos Client Firewall WKI94527 Microsoft update KB2887595 for Windows 8.1 causes a conflict with Sophos Client Firewall.
Sophos Web Control DEF79725 Sophos Web Control doesn't work when a user uses Internet Explorer in the new Windows 8 UI.

Version 10.3.1, February 2014

Components

Sophos Anti-Virus (SAV) 10.3.1
Threat detection engine 3.50.1
Threat data 4.98, February 2014
Sophos Client Firewall (SCF) 3.0.0 (Windows 8)

2.9.3 (Windows 7 and earlier)

Sophos AutoUpdate (SAU) 2.9.0

New features

Component Description
Sophos Anti-Virus The threat data has been updated.

Resolved issues

Component Issue ID Description
Sophos Anti-Virus DEF93356 Vulnerability in Microsoft Detours software used in Sophos Anti-Virus.

Version 10.3.1, January 2014

Components

Sophos Anti-Virus (SAV) 10.3.1
Threat detection engine 3.50.1
Threat data 4.97, January 2014
Sophos Client Firewall (SCF) 3.0.0 (Windows 8)

2.9.3 (Windows 7 and earlier)

Sophos AutoUpdate (SAU) 2.9.0

New features

Component Description
Sophos Anti-Virus The threat detection engine and threat data have been updated.

Version 10.3.1, December 2013

Components

Sophos Anti-Virus (SAV) 10.3.1
Threat detection engine 3.48.0
Threat data 4.96, December 2013
Sophos Client Firewall (SCF) 3.0.0 (Windows 8)

2.9.3 (Windows 7 and earlier)

Sophos AutoUpdate (SAU) 2.9.0

New features

Component Description
Sophos Anti-Virus The threat data has been updated.

Version 10.3.1, November 2013

Components

Sophos Anti-Virus (SAV) 10.3.1
Threat detection engine 3.48.0
Threat data 4.95, November 2013
Sophos Client Firewall (SCF) 3.0.0 (Windows 8)

2.9.3 (Windows 7 and earlier)

Sophos AutoUpdate (SAU) 2.9.0

New features

Component Description
Sophos Anti-Virus The threat data has been updated.

Version 10.3.1, October 2013

Components

Sophos Anti-Virus (SAV) 10.3.1
Threat detection engine 3.48.0
Threat data 4.94, October 2013
Sophos Client Firewall (SCF) 3.0.0 (Windows 8)

2.9.3 (Windows 7 and earlier)

Sophos AutoUpdate (SAU) 2.9.0

New features

Component Description
Sophos Anti-Virus The threat detection engine and threat data have been updated.
Sophos Client Firewall Sophos Client Firewall is now supported on Windows 8.

Resolved issues

Component Issue ID Description
Sophos Anti-Virus DEF89597 The Sophos Anti-Virus driver installation fails if the RunOnce system registry key is missing.
Sophos Anti-Virus DEF88664 SAVProxy.exe fails on a Citrix XenApp server.
Sophos Anti-Virus DEF87023 Real Player streaming plugin fails to load over an RTSP connection when Download Scanning is enabled.
Sophos Client Firewall DEF87118 In an environment with Check Point VPN and Sophos Client Firewall, intermittent issues occur with location awareness, where the location fails to change to "both" and remains set to "secondary".
Sophos Client Firewall DEF83937 During upgrade from Sophos Client Firewall 2.5 to Sophos Client Firewall 2.9, the Sophos Client Firewall 2.5 driver is not disabled, resulting in a loss of network connectivity on network computers.
Sophos Client Firewall SUG79550 The firewall installer process should be modified to roll back the installation should any part of the firewall installation be detected to fail, as an incomplete installation can in some cases affect TCP/IP communication on the target PC.
Sophos Client Firewall DEF78179 Messaging between the Sophos Client Firewall processes should have tighter security.
Sophos Client Firewall DEF73491 Location awareness issue in combination with Sophos Device Control. When a laptop with Sophos Client Firewall and Sophos Device Control option Block bridged enabled is undocked and switches from an Ethernet connection to a wireless connection, the firewall location remains set to "primary" until the laptop is docked, connected to an Ethernet network, and the wireless adapter is disabled. Then the location switches to "secondary" location. DNS timeouts occur in the trace logs.
Sophos Web Control DEF90276 On UTM managed endpoints, a Web Control policy cannot be applied to Windows XP or Windows 2003 endpoints if automatic proxy detection is enabled.

Other changes

Product lifecycle policy changes

From June 2013 Sophos is changing the product lifecycle policy for Endpoint products. For existing customers, an additional "Preview" product tag has been added in Windows 2000 and above subscriptions. For more information, go to http://www.sophos.com/en-us/support/knowledgebase/112580.aspx.

New customers who install Sophos Enterprise Console version 5.2.1 for the first time will see a new set of subscription packages. For more information about the packages and product versions, see http://www.sophos.com/en-us/support/knowledgebase/119216.aspx.

Known issues and limitations

Component Issue ID Description
Competitor Removal Tool DEF87203 The Sophos Competitor Removal Tool does not restore the registry keys for VBScript, WScript and Java when removing McAfee Security as a Service 5.4. Workaround: Remove the software using Add/Remove Programs in Control Panel before installing Sophos Endpoint Security and Control.
Competitor Removal Tool DEF84842 The Sophos Competitor Removal Tool fails to remove Norton Internet Security 2010 (version 17.x). Workaround: Remove the software using Add/Remove Programs in Control Panel before installing Sophos Endpoint Security and Control.
Data Control DEF79180 Files that breach a data control rule can still be transferred to a Windows 8 storage pool.
Installer DEF84838 Protecting Windows 8 or Windows Server 2012 computers that are in a workgroup from Sophos Enterprise Console 5.1 on Windows Server 2008 or Windows Server 2008 R2 fails with the errors "Failed to launch setup.exe" and "2147942405".

For more information and instructions on how to enable deployment, see http://www.sophos.com/en-us/support/knowledgebase/118354.aspx.

Sophos Anti-Virus DEF85118 If you use the Internet Explorer 10 Windows 8 Modern UI application to access a malicious HTTPS website, Sophos Anti-Virus displays a balloon notification instead of a toast. This means that you do not see the notification until you view the desktop.
Sophos Anti-Virus DEF84420 If you use a browser's Windows 8 Modern UI application to access a malicious website, and you click the toast that Sophos Anti-Virus displays, the browser is minimized and the desktop is displayed instead. To switch back to the browser, press Alt+Tab.
Sophos Anti-Virus DEF83463 Although Sophos Anti-Virus can now scan files that are locked during an on-demand scan, it cannot perform cleanup successfully.
Sophos Anti-Virus DEF79726 If you use Internet Explorer 10 or 11, a Windows 8 or 8.1 Modern UI application, with the Enhanced Protected Mode enabled, Sophos web protection does not stop you from accessing malicious websites. For more information, see http://www.sophos.com/en-us/support/knowledgebase/119957.aspx.
Sophos Anti-Virus DEF79482 iSCSI mount points cannot be excluded from on-access scanning.
Sophos Anti-Virus - Sophos web protection and web control use a Layered Service Provider (LSP) to intercept network traffic. If web protection or web control is turned on while an incompatible third-party LSP is running, system instability can occur. Therefore, if a third-party LSP that is known to be incompatible is already installed on the computer, the Sophos LSP is not installed. For more information, see http://www.sophos.com/en-us/support/knowledgebase/116241.aspx.
Sophos AutoUpdate WKI64768 AutoUpdate does not support updating through proxies that use WDigest authentication. However, AutoUpdate does support normal digest authentication. For more information, see http://www.sophos.com/en-us/support/knowledgebase/112633.aspx.

Additional information

System requirements

Sophos Endpoint Security and Control is supported on Windows XP/2003/Vista/2008/7/8/2012. For a full list of system requirements, see System Requirements for Antivirus protection for Windows.

Which maintenance version of Endpoint Security and Control do I have?

To find out which maintenance version of Endpoint Security and Control (for example, 10.3.7) is running on your computer:

  1. Open Endpoint Security and Control.
  2. In the left-hand pane, under Help and information, click View product information.
  3. Under Anti-virus and HIPS, click Software.

Deployment

Automatic deployment of Endpoint Security and Control to Windows 8 and Windows Server 2012 from Enterprise Console requires Enterprise Console 5.1 or later.

Automatic deployment of Endpoint Security and Control to Windows 8.1 and Windows Server 2012 R2 from Enterprise Console requires Enterprise Console 5.2.1 R2 or later.

If you are using Enterprise Console 5.0 or earlier, you can install the software by running the installer from a bootstrap location that contains a software subscription for version 10.3. For more information on manual installation, see http://www.sophos.com/en-us/support/knowledgebase/12386.aspx.

Support for Windows 8 and Windows Server 2012

  • On Windows 8, Endpoint Security and Control uses toast notifications instead of balloon notifications to display messages on screen.
  • On Windows 8, if you specify a user-defined message to be displayed in desktop messages, it is not displayed in toasts. For more information, see http://www.sophos.com/en-us/support/knowledgebase/118233.aspx.
  • On Windows 8, if Sophos Anti-Virus cleans up a threat that affects a Windows Store app, it marks the app as tampered with. This causes Windows to offer the user the ability to re-download and re-install the app.
  • Rootkit scanning is not supported on REFS file systems on Windows Server 2012. If the user attempts a rootkit scan on this file system, a message will be logged in the SAV log telling them that rootkit scanning is not supported.

Sophos Client Firewall

  • A number of features have been removed from Sophos Client Firewall 3.0 for Windows 8:

    Interactive mode
    Hidden process detection
    Modified memory detection
    Rawsocket applications (rawsockets are treated the same as other connections)
    Non-stateful rules
    The option Concurrent connections for TCP rules
    The option Where the local port is equal to the remote port

  • Sophos Client Firewall does not support the "mobile broadband" driver model in Windows 7.
  • When you install Sophos Client Firewall, all network adapters are temporarily disconnected. This results in network connections being unavailable for up to 20 seconds and the disconnection of networked applications such as Microsoft Remote Desktop.
  • When the log is displayed in a view that auto-refreshes (such as Allowed connections), the view stops refreshing if the service is under a heavy load. After changing to a different view and then back again, auto-refreshing works normally.

Application Control

When Sophos Anti-Virus detects a controlled application on a remote share, the alert always shows that the application was detected on the local computer.

Sophos Device Control

Sophos Device Control does not block removable storage devices that are used as system drives, as this typically destabilizes the operating system.

Unsupported scenarios

  • Endpoint Security and Control standalone installations do not support Windows Server Core.
  • Endpoint Security and Control managed and standalone installations do not support Windows Server Core Hyper-V.

Shared Windows components

When you install Sophos software, some Windows components that might also be used by non-Sophos software are also installed or upgraded:

Sophos software Shared Windows component
Name File names Versions Date of inclusion with Sophos software
Sophos Anti-Virus Microsoft XML Core Services msxml4.dll 4.30.2100.0 September 2009
msxml4r.dll 4.30.2100.0 September 2009
ATL Library atl90.dll 9.0.30729.4148 June 2013
Microsoft Visual C/C++ Runtime Libraries msvcm90.dll 9.0.30729.4148 June 2013
msvcp90.dll 9.0.30729.4148 June 2013
msvcr90.dll 9.0.30729.4148 June 2013
Sophos AutoUpdate Windows Installer msi.dll 2.0.2600.2 November 2003
msiexec.exe 2.0.2600.2 November 2003
msihnd.dll 2.0.2600.2 November 2003
msimain.sdb N/a November 2003
msimsg.dll 2.0.2600.2 November 2003
msisip.dll 2.0.2600.2 November 2003
msls31.dll 3.10.337.0 November 2003
mspatcha.dll 5.1.2600.0 November 2003
riched20.dll 5.30.23.1200 November 2003
sdbapiU.dll 1.0.0.1 November 2003
shfolder.dll 5.0.2919.20 November 2003
usp10.dll 1.325.2180.1 November 2003
Sophos Client Firewall 3.0 for Windows 8 Microsoft XML Core Services msxml4.dll 4.30.2100.0 June 2013
msxml4r.dll 4.30.2100.0 June 2013
Microsoft Visual C/C++ Runtime Libraries msvcm90.dll 9.0.30729.6161 June 2013
msvcp90.dll 9.0.30729.6161 June 2013
msvcr90.dll 9.0.30729.6161 June 2013
Sophos Client Firewall 2.9 for Windows 7 and earlier Microsoft XML Core Services msxml4.dll 4.30.2100.0 September 2009
msxml4r.dll 4.30.2100.0 September 2009
Microsoft Visual C/C++ Runtime Libraries msvcm90.dll 9.0.30729.6161 October 2013
msvcp90.dll 9.0.30729.6161 October 2013
msvcr90.dll 9.0.30729.6161 October 2013

Technical support

You can find technical support for Sophos products in any of these ways:

Legal notices

Copyright © 2011–2014 Sophos Limited. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.

Sophos, Sophos Anti-Virus and SafeGuard are registered trademarks of Sophos Limited, Sophos Group and Utimaco Safeware AG, as applicable. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.